修正流洩漏之所在：沿插值路徑刻畫成員身份訊號

摘要

理解生成模型從訓練資料中保留了哪些內容仍具挑戰性，這對版權與隱私皆有影響。除了逐字複製外，模型還能編碼訓練資料中更微妙的痕跡，這些痕跡從未在其輸出中顯現，但仍可被利用。我們針對 Rectified Flow 研究此類情況，後者越來越多地用於部署的生成系統中。我們分析定義 Rectified Flow 訓練的插值路徑 X_λ = (1-λ)X_0 + λX_1。我們證明，在 λ 上存在一條鐘形曲線式的訓練與測試資料重建差距，該差距在訓練過程中累積，而驗證指標仍保持穩定。此訊號具有一個最大值，我們在高斯假設下推導出其位置的閉合解。我們在音訊與影像上驗證了這些預測，並顯示鐘形結構具有普遍性，而當我們的假設成立時，峰值預測也成立。作為概念驗證，我們利用此特定的 λ 解析結構來執行成員推理攻擊，以區分訓練集的成員與非成員。

English

Understanding what generative models retain from training data remains challenging, with implications for copyright and privacy. Beyond verbatim reproduction, models can encode subtler traces of their training data that never surface in their outputs yet remain exploitable. We study this regime for Rectified Flows, which are increasingly used in deployed generative systems. We analyse the interpolation path X_λ= (1-λ)X_0 + λX_1 that defines the Rectified Flow training. We show that a gap exists between the reconstruction of train and test data that follows a bell-shaped curve over λ, wich accumulates during training, while the validation metrics remain stable. The signal has a maximum whose location we derive in closed form under Gaussian assumptions. We validate these predictions on both audio and images and show that the bell-shaped structure is universal, while the peak prediction holds when our assumptions are satisfied. As a proof of concept, we exploit this specific λ-resolved structure to perform a Membership Inference Attack, distinguishing members of the training set from non-members.